24. February 2021

Security for WordPress systems

Secure your website against attacks!

Over 60 percent of the world’s websites based on a content management system use WordPress. We have also been focusing on this system for many years and are constantly impressed by the constant further developments. However, widespread systems have the disadvantage that they are more frequently affected by attacks, because potential cyber criminals naturally expect them to be more effective in their digital intrusions.

Due to this and the current increase in attacks on WordPress systems, we would like to provide you with general information on this topic and advise you to take a few precautionary security measures.

Regular system maintenance and updates

Websites and content management systems are similar to operating systems. Updates are necessary and useful from time to time, not only to close security gaps, but also to add new features.

With version 5.6, WordPress has recently extended the auto-update function to the extensions. This means that a large number of extensions and the base system itself can be provided with updates fully automatically. However, we recommend only using the auto-update function for non-critical plug-ins. Large version jumps from the system itself should of course continue to be carried out under supervision.

We will be happy to set up an update reminder for your website. We will then contact you at least twice a year about possible updates and decide together whether or not to carry them out.

Further safety recommendations

Deactivation of the XML-RPC interface

This interface is used by external apps to access the content of the WordPress system. The WordPress app, for example, uses this method to publish content. However, most of our customers use the dashboard to manage the systems, so this interface can be deactivated.

Securing the theme editor

As soon as an intruder has access to the system, they can in principle use the editor to edit the theme files and thus infiltrate malicious code. This can be prevented by deactivating the theme editor.

Checking the admin user

In older WordPress systems, the admin user was named “admin” by default. This means that part of the “username / password” combination is already known. We check the admin user, rename it if necessary and set a new, complex password. We also ensure that the names of the WordPress authors cannot be read via the REST API.

Prevention of multiple login attempts

With the help of brute force attacks, attackers try to gain access by simply trying out countless “username / password” combinations. With the help of a WordPress extension, we can ensure that these users are locked out after X attempts and thus prevent “lucky hits” with insecure passwords.

Incidentally, this applies not only to the admin user, who is usually managed by us, but also to the accesses of all editors!

Backup of the upload directory

The WordPress upload directory can also be an open gateway to the website system by uploading executable files. We therefore recommend generally preventing the execution of PHP code in the upload directory.

We cannot guarantee that these measures will be sufficient, but they will at least make it a little more difficult for people with malicious intentions to attack your website.

Do you have further questions about security or would you like to improve the security of your website?

Please simply get in touch with your contact person from our web team:

🍪 We optimize our website with cookies

Cookies make life more beautiful and so do websites. We know that this text is not read by any person, so we do not try to explain here how cookies work, but refer to our Privacy policy.

  • Standard
    Essential services and functions
  • Comfort
    Enables convenience features of this website (for example, the display of video content (Youtube, Vimeo) or location by Google Maps).
  • Performance
    To optimize the user experience by capturing and analyzing visitor behavior.
  • Marketing
    Use of tools and services to measure the success of marketing measures and / or advertising.